This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - SQL Injection"
From OWASP
James Landis (talk | contribs) m |
James Landis (talk | contribs) m (Minor grammar/spelling edits) |
||
Line 4: | Line 4: | ||
=== Root Cause Summary === | === Root Cause Summary === | ||
− | Applications that have insufficient input | + | Applications that have insufficient input validation or non-validated literal strings concatenated into a dynamic SQL statement and subsequently interpreted as code by the SQL engine |
=== Browser / Standards Solution === | === Browser / Standards Solution === | ||
Line 11: | Line 11: | ||
=== Perimeter Solution === | === Perimeter Solution === | ||
− | Web Application Firewalls (WAFs) can help in reducing SQL Injection attacks by filtering popular and well known attack inputs. WAFs are driven by a set of predefined rules that can help mitigate SQL | + | Web Application Firewalls (WAFs) can help in reducing SQL Injection attacks by filtering popular and well known attack inputs. WAFs are driven by a set of predefined rules that can help mitigate SQL Injection attacks to a certain extent. |
− | |||
− | |||
− | |||
− | |||
=== Generic Framework Solution === | === Generic Framework Solution === | ||
− | * ''' | + | * '''Parameterized Queries''' - Use parameterized queries to execute any SQL commands |
− | * '''Input Validation''' - Validate all inputs that are passed to the SQL statement for accuracy of datatypes, boundary limits and accepted | + | * '''Input Validation''' - Validate all inputs that are passed to the SQL statement for accuracy of datatypes, boundary limits and accepted character set |
− | * '''Escape Sequences''' - In cases where it is not possible to use parametric queries (like legacy code), ensure that the SQL engine sensitive characters are escaped appropriately. [ [[To provide a | + | * '''Escape Sequences''' - In cases where it is not possible to use parametric queries (like legacy code), ensure that the SQL engine sensitive characters are escaped appropriately. [ [[To provide a separate link for this]] ] |
− | |||
− | |||
− | |||
=== Custom Framework Solution === | === Custom Framework Solution === | ||
− | + | None | |
− | |||
− | |||
=== Custom Code Solution === | === Custom Code Solution === | ||
− | * When building custom solutions, make sure that SQL queries are constructed dynamically with table names and views after | + | * When building custom solutions, make sure that SQL queries are constructed dynamically with table names and views after thorough and proper validation of the schema and the table/view. |
− | * As a | + | * As a precautionary measure, ensure that the tables have appropriate access control through policies |
* Whenever possible, when building custom solutions, use the underlying databases prepared queries library. | * Whenever possible, when building custom solutions, use the underlying databases prepared queries library. | ||
− | + | * Stored procedures must not contain string-concatenated SQL queries, either. | |
− | |||
− | |||
=== Discussion / Controversy === | === Discussion / Controversy === | ||
=== References === | === References === |
Revision as of 20:52, 15 May 2013
Return to Periodic Table Working View
SQL Injection
Root Cause Summary
Applications that have insufficient input validation or non-validated literal strings concatenated into a dynamic SQL statement and subsequently interpreted as code by the SQL engine
Browser / Standards Solution
None
Perimeter Solution
Web Application Firewalls (WAFs) can help in reducing SQL Injection attacks by filtering popular and well known attack inputs. WAFs are driven by a set of predefined rules that can help mitigate SQL Injection attacks to a certain extent.
Generic Framework Solution
- Parameterized Queries - Use parameterized queries to execute any SQL commands
- Input Validation - Validate all inputs that are passed to the SQL statement for accuracy of datatypes, boundary limits and accepted character set
- Escape Sequences - In cases where it is not possible to use parametric queries (like legacy code), ensure that the SQL engine sensitive characters are escaped appropriately. [ To provide a separate link for this ]
Custom Framework Solution
None
Custom Code Solution
- When building custom solutions, make sure that SQL queries are constructed dynamically with table names and views after thorough and proper validation of the schema and the table/view.
- As a precautionary measure, ensure that the tables have appropriate access control through policies
- Whenever possible, when building custom solutions, use the underlying databases prepared queries library.
- Stored procedures must not contain string-concatenated SQL queries, either.